Skip to content

Commit

Permalink
Merge pull request #3038 from deads2k/long-kubelet-trust
Browse files Browse the repository at this point in the history 
Bug 1693951: tls: extended lifetime of master kubelet bootstrap credentials
  • Loading branch information
@openshift-merge-robot
openshift-merge-robot committed Feb 4, 2020
2 parents c47dffd + 462ba89 commit 90bcf0e
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion pkg/asset/tls/kubelet.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ func (a *KubeletBootstrapCABundle) Name() string {
}

// KubeletClientCertKey is the asset that generates the key/cert pair for kubelet client to apiserver.
// This credential can be revoked by deleting the configmap containing its signer.
type KubeletClientCertKey struct {
SignedCertKey
}
Expand All @@ -181,7 +182,7 @@ func (a *KubeletClientCertKey) Generate(dependencies asset.Parents) error {
Subject: pkix.Name{CommonName: "system:serviceaccount:openshift-machine-config-operator:node-bootstrapper", Organization: []string{"system:serviceaccounts:openshift-machine-config-operator"}},
KeyUsages: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
ExtKeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
Validity: ValidityOneDay,
Validity: ValidityTenYears,
}

return a.SignedCertKey.Generate(cfg, ca, "kubelet-client", DoNotAppendParent)
Expand Down

0 comments on commit 90bcf0e

Please sign in to comment.